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Abstract 

Asymptotically good sequences of linear ramp secret sharing schemes have 
been intensively studied by Cramer et al. in terms of sequences of pairs of nested 
algebraic geometric codes m 0 El B 0 do]. In those works the focus is on full 
privacy and full reconstruction. In this paper we analyze additional parameters 
describing the asymptotic behavior of partial information leakage and possibly 
also partial reconstruction giving a more complete picture of the access struc¬ 
ture for sequences of linear ramp secret sharing schemes. Our study involves a 
detailed treatment of the (relative) generalized Hamming weights of the consid¬ 
ered codes. 
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1 Introduction 

A secret sharing scheme [221 B El EH is a cryptographic method to encode a secret 
s into mnltiple shares ci,...,Cn so that only from specihed subsets of the shares 
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one can recover s. Often it is assumed that n participants each receive a share, 
no two different participants receiving the same. The secret and the share vector 
c = (ci,..., Cn) corresponding to it are assumed to be taken at random with some 
given distributions (usually uniform), and the recovery capability of a set of shares is 
measured from an information-theoretical point of view m The term ramp secret 
sharing scheme EZIEIE] is used for those schemes where some sets of shares partially 
determine the secret, but not completely. This allows the shares to be of smaller size 
than the secret. 

In this paper, we concentrate on linear ramp secret sharing schemes with uniform 
distribution on the secret and uniform distribution on the share vector conditioned 
to the secret, which is widely considered in the literature (see, for instance, ElEmsi 
m)- Here, the secret is a vector s G (for some hnite held F^), and we assume 
that the shares are elements Ci,... ,c„ G F^. The term linear means that a linear 
combination of share vectors is a share vector of the corresponding linear combination 
of secrets. In [3 Sec. 4 . 2 ] it was shown that such schemes are equivalent to the 
following construction based on two nested linear codes C2 ^ Ci <Z F” with dim Ci — 
dim 6*2 = i. Writing ^2 = dim 6*2 and ki = dimCi (and consequently i = ki — /C2) lef 
{bi,..., bfcj} be a basis for C2 and extend it to a basis {bi,..., b^^} for Ci. A secret 
s = {si,... ,Si) is encoded by hrst choosing at random coefficients oi, ..., 0^2 G Fg 
and then letting the share vector be 

c = Oibi Ofcjbfcj + Sibfc2+i + ■ • • + Sfbfcj. (1) 

Dehne a g-bit of information to be log2(g) bits of information. Then, for the schemes 
that we consider, the mutual information between the secret and a set of shares is an 
integer between 0 and i if measured in g-bits m Proof of Th. 4 ]. Therefore, for each 
m = 1 , ...,£, we may dehne the following threshold values [T^ Def. 2 ]: 

• The m-th privacy threshold of the scheme is the maximum integer tm such that 
from no set of shares one can recover m g-bits of information about the 
secret. That is, tm = max{#J | J C {1 ,..., n}, I{J) < m}, where /(J) = /(si, 
..., Si ; {ci \ i E J)). Here, q is the i-th component of c in ([T]), and /(;) is the 
mutual information taking logarithms in base g. 

• The m-th reconstruction threshold of the scheme is the minimum integer 
such that from any set of shares one can obtain m g-bits of information 
about s. That is, = mm{^J | J C {1,..., n}, I{J) > m}. 

The numbers t = ti and r = ri have been intensively studied in the literature, e.g. 
[a 13 EH, where they are called privacy and reconstruction threshold, respectively. 
Clearly t is the greatest number such that no set of t shares holds any information 
on the secret and r is the smallest number such that from any set of r shares one 
can reconstruct the information in full. In a series of papers the asymptotic behavior 
of such parameters has been investigated 12 El El 0 El ED] in terms of corresponding 
inhnite sequences of nested code pairs of increasing length. In the present paper we 
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take a particular interest in sequences of nested code pairs (C'2(i) C Ci{i) C 
with rii and with ii = dimCi(z) — dim 6*2 (i) satisfying 

lim rii = oo, and hminf(£j/nj) = L ( 2 ) 

i^oo i—^oo 

for some hxed 0 < L < 1, see 12 El El m El ITO] . The reason for us to require (E]) is 
to obtain a constant information rate. For instance if the schemes are to be used in 
connection with distributed storage as mentioned in [ 57 ] then a memory of size 1/L 
times the information size is enough. As in the above listed papers the focus in on 
full privacy and full reconstruction, what is studied there is 

lim inf — = and lim sup — = ( 3 ) 

Here, t and r are the privacy and reconstruction thresholds for the schemes based on 
(72(i) C Ci{i) C and thereby are functions in i. For any chosen value of L and 
corresponding feasible it is desirable to have the threshold gap as small 

as possible. One way of achieving this H El El 0 El EO] is to base the secret sharing 
schemes on sequences of nested code pairs related to an optimal tower of function 
helds and to require limj^oo(dim( 7 i(i)/ni) = R\ and limj^oo(dim(72(i)/nj) = R2 
for some fixed rates Ri > R2. Using the Goppa bound [ 15 ] one then obtains good 
parameters L = Ri — R2, and 0^) Por future reference we formalize the concept 
of asymptotic goodness in a definition, where for completeness we also include the 
case L = 0, although we do not study this case in the present paper. 

Definition 1. Let 0 < R 2 < Ri < 1 and consider a sequence of nested codes 
{C2{i) C Ci{i) C with rii —t 00, dimC2{i)/ni —)■ R2 and dim( 7 i(i)/nj —)■ Ri 

for i —)■ 00. The corresponding sequence of linear ramp secret sharing schemes is said 
to be asymptotically good if the parameters from (jS]) satisfy 0 < and < 1. 

The purpose of the present paper is to provide additional information on the 
access structure of sequences of linear ramp secret sharing schemes by studying partial 
information leakage and partial reconstruction parameters. More precisely, given a 
sequence of linear ramp secret sharing schemes and any hxed numbers 0 < ei, £2 < 1 
we study the asymptotic parameters 

A^^^(e:i) = sup { lim inf | satishes 

^ i—>oo rii 

1 < mi{i) < ii, lim(mi(i)/nj) = eiL\, 

A^^^(£2) = inf { lim sup | (^ 72 r 2 (f))“i satishes 

1 < m 2 (i) < ii, lim{m 2 {i)/ni) = £ 2 ^}. 

Such parameters tell us that asymptotically no fraction less than of the 

shares holds more information on the secret than a fraction ei. Similarly, from any 
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fraction greater than A^^^(£2) of the shares one can gain information on the secret 
corresponding to a fraction 1 — £2 or more. Of particular interest is A^^^(O) which 
ensures almost full privacy. It is a surprising fact that for secret sharing schemes 
based on algebraic geometric codes this number can be significantly larger than 
meaning that such schemes are more secure than anticipated (see Section [ 3 ] and 
Theorem I^T]) . The situation is similar with regards to reconstruction. In another 
direction, for fixed values of L and corresponding feasible A(^^(£i) we determine for 
the general class of ramp secret sharing schemes the smallest value A*^^^(£2) such that 
a sequence of codes with these parameters exists. This bound - which can be seen 
as an asymptotic Singleton bound for linear ramp secret sharing schemes - is then 
by a non-constructive proof shown to be achievable, but unfortunately, we obtain no 
information regarding and for those sequences. 

Sequences of linear ramp secret sharing schemes based on algebraic geometric 
codes defined from optimal towers of function fields are interesting for the following 
three reasons. Firstly, for such sequences the parameters L, and are si¬ 
multaneously good. Also A*^^)(e:i) and A’^^^(£2) are good, although they do not always 
reach the Singleton bound. Secondly, such sequences are constructible if g is a perfect 
square and are semi-constructible if not. Finally, as demonstrated in HElElElElDro] 
examples of such sequences are important in connection with secure multiparty com¬ 
putation due to nice properties on the componentwise product of share vectors. 

Our analysis of the asymptotic secret sharing parameters is based on the material 
in psiin] which translates information-theoretical properties of a ramp secret sharing 
scheme based on nested linear codes C2 ^ Ci <Z into coding-theoretical properties 
of the nested codes. In particular, bounding generalized Hamming weights j26] of 
Cl and C2 and relative generalized Hamming weights [ 18 ] of the pairs C2 ^ Ci and 

^ C2 implies bounds on the privacy and reconstruction numbers ti and r*. 

The paper is organized as follows. In Section H] we give the Singleton bound 
for linear ramp secret sharing schemes. Using the material from we then show 
that for arbitrary L, sequences of schemes exist such that for arbitrary £1, £2 one gets 
arbitrarily close to the Singleton bound for Ab)(£;^) and A^^)(£2)- In Section[ 3 ]we then 
discuss how to obtain sequences of ramp secret sharing schemes with good values of 
L, and from optimal towers of function fields. As a preparation step to treat 
later in the paper and A*^^^(£2) for these sequences of schemes we next study 

relative generalized Hamming weights of algebraic geometric codes in Section 0 ] and 
derive asymptotic consequences in Section [ 5 l Then finally in Section [6] we collect our 
findings into information on A*^^)(e:i) and A^^^(£2) for sequences of ramp 

secret sharing schemes based on algebraic geometric codes coming from optimal towers 
of function fields. 


2 The Singleton bound 

The code parameters governing the privacy and reconstruction numbers tm and of 
linear ramp secret sharing schemes are the relative generalized Hamming weights [ 18 ] 
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which we now define together with the generalized Hamming weights | 26 ) . 

Definition 2. Consider C 2 ^ Ci G F” and let i = ki — k 2 where ki = dimCi 
and /c2 = dimC2. For m = the m-th relative generalized Hamming weight 

(RGHW) is: 

Mm{,Ci,C2) = min{#Supp(D) | D C Ci is a linear space 

with dim(D) = m and D H C 2 = {0}}, 

where Supp(D) = {i E { 1 , 2 ,..., n} | 3 d G -D, d* 7^ 0 }. For m = 1 , 2 ,..., ki, the m-th 
generalized Hamming weight (GHW) of C\ is defined as dm{Ci) = MmiCi, {0}). 

Clearly, the RGHWs can be lower bounded by the GHWs of the same index, 
and as the latter are often easier to estimate we shall also take an interest in them. 
The following theorem, which is [T^ Th. 3 ], gives a characterization of the threshold 
numbers and in terms of the RGHWs of the pairs C2 ^ Ci and ^ 
where denotes the dual of the linear code C. 

Theorem 3. Consider a linear ramp secret sharing scheme based on codes C 2 C 
Cl C F”. Then for m = 1,2,... ,i, 

tm = MjniC^jCi) - 1, and 
fm = n — M£_m+i(Gi, G 2 ) 3-1. 

Observe, that as a consequence we obtain > d{Cf) — 1 and r^ < n — 
di-m+iiCi) + 1 . Given a sequence of linear ramp secret sharing schemes satisfy¬ 
ing (j2]), numbers H < 61,62 < 1 and any two sequences {mi{i))^i and {m2{i))fli with 


{mi{i)/ni) -E 6 iL 

and 

hmj^oo(nr2(*)/'ni) —)■ 62L we then obtain 




lim inf ^1^^ > lim inf 

d{Ci) 

( 4 ) 



i—>oo Hi i—>-oo 

Hi 

0 ( 2 ) 

_ 






i^oo m 




< 



( 5 ) 



i^oo m 


A“>(£i) 

> 

lim inf 


(6) 


i^oo m 



> 

hminf 


( 7 ) 



i^oo m 



< 

Mm2(i) (C*!, C2) 

1 lim inf ’ 


( 8 ) 


i^Qo m 



< 

1 hminf 


(9) 


i-)-oo m 
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To study the optimality of linear ramp secret sharing schemes we recall the Singleton 
bound [IHl Section IV] for a linear code pair C 2 ^ Ci <Z F” and its dual pair ^ 
C 2 C F”: for each m = 1, 2,..., 


C 2 ) < n - fci + m, and < ^2 + m. ( 10 ) 

From these bounds and Theorem [3l it follows that > ^2 and tm < k 2 + m — l, 
and as a consequence 

- fid) > L ( 11 ) 

and 

Ad)(£ 2 )-Ad)(^^)>i:(i_^^_^ 2 ). ( 12 ) 

There exist choices of ffd) < fi( 2 ) f[TT|) is not nearly tight, meaning that 

L cannot be close to fl^) _ fi(i) xh. 3.26, Th. 4.6]. It is therefore surprising 
that for any hxed value of Ad)( 0 ) < Ad)( 0 ) there exist sequences of linear ramp 
secret sharing schemes with L arbitrarily close to Ad)(0) — Ad)(0). Even more, by 
the strict monotonicity of RGHWs [T8l Pro. 2], for such schemes L(1 — ei — £ 2 ) 
becomes arbitrarily close to Ad)(£ 2 ) — Ad)(e:]^) for all 0 < 61,62 < 1. Our proof is 
non-constructive, as might be expected, and it unfortunately does not reveal any 
non-trivial information on the corresponding values of fid) ^nd fl^). We leave it for 
further research to determine simultaneous information on these parameters, and in 
particular to decide if the sequences fulhll the requirements in Dehnition [T] for being 
asymptotically good. InJ^we prove the following result: 

Theorem 4. For 0< R 2 <Ri<l,0<S<l,0< 6-^ <1,0 <t< min{5, Ri —R 2 } 
and 0 < < min{5-*-, Ri — R 2 }, if 

Ri + 5 < 1 + T and (1 — R 2 ) + < 1 + (13) 


then for any prime power q there exists an infinite sequence of nested linear code pairs 
C 2 {i) $ Ci{i) C F”b where n, —)■ 00 for i —)■ 00 , and where 

, dim(Gi(f 
hm- 

i^oo rii 



lim 

i—^oo ?7,j 

hm ml- > 0 , and 

i^Qo m 

i^oo rii 

As a corollary we see that the difference in flT^ can become arbitrarily close to 
zero. 
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Corollary 5. For any 0 < R 2 < Ri < 1 there exists a sequence of linear ramp secret 
sharing schemes satisfying ^ with L = Ri — R 2 and having simultaneous 
arbitrarily close to R 2 +eiL and arbitrarily close to Ri—e 2 L for all 0 < £ 1 , £2 < 1- 

Proof. As noted prior to Theorem 0] by the strict monotonicity of the RGHWs it 
is enough to prove L = Ri — R 2 and that Ad)(0) can be arbitrarily close to R 2 
simultaneously with A(^)(0) being arbitrarily close to -Ri. We start by proving a 
result which at a hrst glance seems weaker - but from which the above will follow. 
Let 0 < £ < min{i?i/L, {1 — R 2 )/L} and choose arbitrarily small /r > 0. In Theorem 0] 
choose T = T-^ = eL, 6 = 1 — Ri+eL — p, and 6 ^ = R 2 + eL — p. By inspection all 
the conditions of the theorem are satished and therefore by ([6]) and ([8]) for any e in 
the considered interval there exists a sequence of linear ramp secret sharing schemes 
satisfying ([2]) such that Ad)(e) is arbitrarily close to R 2 + eL simultaneously with 
A(^^(£) being arbitrarily close to Ri — eL. The theorem hnally follows by considering 
a sequence of numbers between 0 and min{i?i/L, (1 — R 2 )/L} and with 

limj^ooe^(*) = 0. For each e{i) we have a sequence S{i) of secret sharing schemes as 
described above. Now build a new sequence of schemes in which the Ath scheme is the 
Ath scheme from the sequence iS(i). The resulting scheme satishes the requirement 
mentioned at the beginning of the proof. □ 

3 Asymptotically good sequences of schemes from 
algebraic geometric codes 

In the remaining part of the paper we concentrate on ramp secret sharing schemes 
dehned from pairs of nested algebraic geometric codes. In the present section we 
collect known information to describe what is possible concerning the parameters L, 
and In subsequent sections we then derive information on A*^^)(e:i) and 

A*'^^(£2)- 

Let R be an algebraic function held over of transcendence degree one. In the 
rest of the paper we consider divisors D = Pi + ■ ■ • + and G with disjoint supports, 
where the places P, are rational and pairwise distinct. For any divisor P, we dehne 
the Riemann-Roch space P(P) of functions / G P such that the divisor (/) + P is 
effective (see also jini Def. 2.36]). We denote by Cc{L),G) the evaluation code of 
length n obtained by evaluating functions / G C{G) in the places Pj. An algebraic 
geometric code is a code of the form Gc{L), G) or Gc{D, G)-^. We call the hrst primary 
algebraic geometric codes and the latter dual. The well-known Goppa bound [IPl Th. 
2.65] gives information on the relation between dimension and minimum distance for 
primary or dual codes. 

Theorem 6. Let G be an algebraic geometric code of dimension k defined from a 
function field of genus g. Then the minimum distance satisfies d{G) > n — k + 1 — g. 

Given a function held P, we shall write P(P) for its number of rational places 
and g{R) for its genus. For asymptotic purposes, we will make use of Ihara’s constant 
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A{q) = lira sup 

g{T)-^oo 


mr) 

am' 


where the limit is taken over all function fields over ¥g of genus g{J^) > 0. The 
Drinfeld-Vladuf bound [2^ states that 


kl(g)<\/g-l. (14) 

As is well-known A{q) is always strictly positive and equality in fimi holds if g is a 
perfect square [16]. See |T] for the status on what is known about A{q) for q being a 
non-square. For convenience, we give the following definition; 

Definition 7. A tower of function fields over Fg is optimal if N{J^i) —)■ oo and 

N{J^i)/g{J-i) —)• A{q) for i ^ oo. On the other hand, (0*)^;^ is an optimal sequence 
of one-point algebraic geometric codes defined from if ni/N{J^i) —)■ 1 for i ^ oo, 
where Ui is the length of Ci. 

The above together with (|1]) and ([S]) immediately combine into the following result 
concerning the existence of asymptotically good sequences of ramp secret sharing 
schemes. 


Theorem 8. Let {C 2 {i) C Ci{i) C be a sequenee of nested algebraic geometric 

codes defined from an optimal tower of function fields and satisfying Ui = N{J^i) — 1, 
d\mCi{i)/ni —)■ Ri and dim02(i)/ni —)■ R 2 for some 0 < R 2 < Ri < 1 - Then the 
corresponding sequence of linear ramp secret sharing schemes (see Section\^ satisfies 
0(1) > ^2 - ^ and 0(2) < i?, + ^. 

In particular we obtain asymptotically good ramp secret sharing schemes (Defi¬ 
nition [1]) if < R 2 < Ri < 1 — If moreover R 2 < Ri then also the crucial 

requirement ([2]) is satisfied. Observe that due to the assumption = N{Ri) — 1 
we may choose the codes in Theorem |H] as one-point codes, meaning that without 
loss of generality we may consider codes of the form 02 (f) = Cc{R>, pi 2 ii)Q) and 
Oi(f) = Cc{D, /ii(f)Q), where D is the sum of Ui distinct rational places in Ri and Q 
is another rational place in the same function field. 


4 RGHWs and GHWs of algebraic geometric codes 

In this section, we give non-asymptotic analysis that are necessary in Sections [5] and 
[6]to treat the parameters A(i)(£i) and A( 2 )(£ 2 ) of the sequences of algebraic geometric 
schemes discussed in the previous section. The next theorem combines [T^ Th. 2.65], 
[241 Th. 4.3, Cor. 4.2] and [2^1 Th. 1]. The first part which is a generalization of 
Theorem [6] is known as the Goppa bound for GHWs. 

Theorem 9. Let C be an algebraic geometric code of dimension k defined from a 
function field of genus g. Then dm{C) > n — k + m — g, for 1 < m < g, and 
dm{C) = n — k + m, for g + 1 < m < k. 



For algebraic geometric codes C 2 £ (Fi, the above theorem exactly gives dm{Ci) 
and Mm{Ci,C 2 ) when g < m. In Proposition WI\ and Proposition [T^ below, we will 
improve it in the case m < g for one-point codes. From now on we will concentrate on 
one-point algebraic geometric codes. That is, codes Cc{D,G) or Cc{D,G)^, where 
G = fiQ, Q is a rational place and /r > —1. Writing uq for the valuation at Q, the 
Weierstrass semigroup corresponding to Q is 


H{Q) 


-^Q 



{/xeNo|£(/iQ)^£((/r-l)g)}. 


As is well-known, the number of missing positive numbers in H[Q) equals the genus 
g of the function held. The conductor c is by dehnition the smallest element in H{Q) 
such that all integers greater than or equal to that number belong to the set. The 
following lemma is well-known |151 Th. 2.65]: 

Lemma 10. For g, > —1, k = dimGc{D,gQ) satisfies: 

• k>g + l — gifg<2g — 2, 

• k = g + l — gif2g — 2<g<n, and 

• k<g + l — gifn<g. 

If g = n + 2g — 1, then Gc{D, gQ) = F”. 

From m Th. 19, 20] we have the following result. 

Theorem 11. Let Gi = Gc{D, giQ) and G 2 = Gc{L),g 2 Q), with —l<g 2 < gi- 
Write ki = dimCi, ^2 = dim (72 and i = ki — k 2 - //1 < m < £, then 

1 . Mm(C'i,C' 2 ) >n-gi + min{#{a e + H{Q)) \ a ^ H{Q)] \ -{gi - 

L 2 ) -|- 1 < A < • • • < im-l ^ ~1}- 

2. M^{Gf,Gf) > min{#{a e LlfL^{is +(gi-H{Q))) \ a G H{Q)} \ -{gi-g 2 ) + 

1 < A < • • • < < 0}. 

Choosing G 2 = {0} in item 1, we obtain a bound on the GHWs of Gi. Similarly, 
choosing Gi = F” in item 2 , we get a bound on the GHWs of Gf. 

Proposition 12. For 0 < 7 < c, let h^ = jf{H{Q) fl ( 0 , 7 ]) and let g > —1 and 
k = dim. Gc{F), gQ). If g < n and l<m< mm{k., g}, then 


dm{Gc{D, gQ)) > n — k + 2m — c + hc-m > n — k + 2m — c. 


Proof. We will apply item 1 in Theorem [TT] for gi = g and g 2 = —1. Gonsider 
numbers —g < ii < ■ ■ ■ < im-i < —1- We have [c — m -|- 1, c] \ II{Q) C [max{0, c -t- 
A}, c] \ H{Q) C {a G + Ff(g)) | a ^ H{Q)}n [0, cxd), where the hrst inclusion 

comes from A < —Now the number of elements in [c— c\r\H{Q) is at most 
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{c — g) — hc-m, and we have that # ({a G + H{Q)) \ a ^ H{Q)} n [0, cxd)) > 

m — [c — g) + hc-m- On the other hand, we have that {ii,..., im-i} C {a G + 

H{Q)) I a ^ H{Q)}n (— 00 , 0). Thus, from Theorem [TTl we obtain dm{Cc{D-, g-Q)) > 
{n — g) + {m — 1) + {m — c + g + hc-m)- Since k>g — g + lhy Lemma fTOl the result 
follows. □ 

Proposition 13. For 7 > 1, let h'^ = ^^([ 7 , 00 ) \ H(Q)) and let jj, > 2g — 2 and 
k = dimC'£(Zl, gQ)'^- // 1 < nr < min{/c, g}, then 

dm{Cc{D, gQ)'^) >n-k + 2 m-c + > n - k + 2m - c. 

Proof. We will apply item 2 in Theorem [TT] for fii = n + 2g — 1 and g 2 = g to prove 
that Mm{Cf, Cl) > k 2 + 2m — c + where k 2 = dim (72. Consider numbers 

— (/ii — P 2 ) + 1 < < • • • < < 0. First, {im + gi — H{Q)) O [ 0 ,^ 2 ] contains the 

set [0,/ii — c — (pi — /i 2 ) + m] = [ 0 ,p 2 — c + m], since im > ~{gi ~ ^ 2 ) + nr and 
gi — c — (/ii — /i 2 ) + nr < 1 ^ 2 - Here, we used the assumption m < g and the fact 
that g < c. Thus, {{im + gi — H{Q)) O H{Q) fl [0,/i2]) is greater than or equal 
to {g 2 - c + m + 1) — {g - On the other hand, {gi + ii,..., gi + im} 

is contained in {a G + {gi — H{Q))) \ a G H{Q)}, which are m elements 

in the range {g 2 ,gi]- Thus, from the previous theorem we obtain Mm{Cf,Cf) > 
(/i 2 — c + m + l — g + hfj, 2 -c+m) +nr. Since k 2 < g 2 — g + t and Ci = by Lemma [TUI 
the result follows. □ 

5 Asymptotic analysis for algebraic geometric codes 

As a preparation step to treat the parameters A*'^^(e:i) and A(^^(e 2 ) of sequences of 
schemes based on algebraic geometric codes, in this section we derive asymptotic 
consequences of the non-asymptotic results derived in the previous section. We start 
our investigations by commenting on m Th. 5.9], which if true would imply that the 
codes in Theorem | 8 ] would attain the Singleton bound fiT 2 |) in all cases < R 2 < Ri < 
1 — T and for all 0 < 61,62 < 1. Below we reformulate m Th. 5.9] with the needed 
modification which ensures that the Singleton bound is reached when 1/A{q) < p, in 
contrast to 0 < p, as it appears in |23]. We also adapt the formulation to better fit 
our purposes of constructing asymptotically good sequences of secret sharing schemes. 
We include the proof from [21] to explain why this modification is needed. 

Theorem 14. Let an optimal tower of function fields overWg. Consider 

R, p with 0 < p < R < 1. Let {Ci)’^i be an optimal sequence of one-point algebraic 
geometric codes defined from such that dim(7j/nj —)■ R. For all sequences of 

positive integers {mi)fli with mi/ui —)• p, it holds that 6 = liminfj^oo dmi((7j)/nj > 
1 — R -\- p — and, if 1/A{q) < p, then 5 = 1 — R + p. 

Proof. The first bound on <5 is an easy consequence of the Goppa bound (the first 
part of Theorem [U]). Now assume 1/A{q) < p. By assumption, for i large enough 
we have mi > g{Ri), which by the last part of Theorem [9] implies that dmi{Ci) = 
Ui — dimCi + mi. Dividing by Ui and taking the limit, we obtain the result. □ 
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The theorem states that the Singleton bound flTUD can be asymptotically reached 
when 1/A{q) < p, which implies l/{y/q — 1) < p by ([TT|) . However, this leaves 
the cases 1/A{q) > p undecided. In the following, we shall concentrate on hnding 
asymptotic results for the cases 1/A{q) > p. We will need [231 Cor. 3.6] and Wei’s 
duality theorem |26l Th. 3], which we now recall in this order; 

Lemma 15. For every linear code C (ZW^ we have that 

Lemma 16. Let C be a linear code, dimC = k. Write dr = dr{C), = ds{C-^) 
for 1 < r < k, 1 < s < n — k. Then, 

{ 1 ,..., n} = {di, ..., 4 } U {n + 1 - ...,n + l- d^}. 

Our first result is a strict improvement to Theorem flTl 

Theorem 17. Let (4)“]^ be an optimal tower of function fields over F^. Con¬ 
sider R, p with 1/A{q) < R < 1 and ^ P ^ R- Let be an 

optimal sequence of one-point algebraic geometric codes defined from (4)“]^ such 
that AmvCi/ni —)■ R. There exists a sequence of positive integers such that 

rui/ni p and dmi{Ci)/ni 5 = l — R + p. 

Proof. In this proof we use the notation R = dimCj. Let / : N —)■ N be a function 
such that f{i) —)■ cxo and f{i)/ni —)■ 0 , as z —)■ oo. Now fix i. The Goppa bound 
(Theorem [9]) together with Lemma [15] tell us that 

Write h{i) for the right-hand side, that is, df(i){C:f) > \h{i)~\. Observe that h{i) > 0, 
since asymptotically ki > p(4). If we write df = dgiC^) for 1 < s < rij — ki, we 
have that rzj -|- 1 — ]"/?-(?)] > rij -|- 1 — From this inequality and the monotonicity 
of GHWs, it follows that the sets 


{ui + l- \h{i)],ni + 2- r/z(z)],. ..,/!*} and 

+ 1 - ..., n* 1 - dpp)_^i} 

are disjoint. Therefore, from Lemma fTHl it follows that 

dki-\h{i)-]+f{i){Ci) >ni + l- \h{i)']. (15) 

Now take a sequence of positive integers {mi)°Li such that 

ki - \h{iy\ F f{i) <mi <ki (16) 
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(observe that the left-hand side is smaller than ki for large i). From flT^ . ([TB]) and 
the monotonicity of GHWs we get 


drriiiCi) ^ (C*j) uii ki -\- |~h(i)1 /(O 

>ni-ki + mi- f{i) -h 1. 

Dividing by rij and letting i ^ oo, f[T6|) and flT7|) become 

q 1 1 


(17) 


q — I A{q) q — I 


R < p < R, 


S= = l-i? + p. 


i->-oo m 


□ 


We have the following result for lower values of p. 


Theorem 18. Let (J7)^i be an optimal tower of function fields over¥q. Consider 
R, p with 0 < p < -R < 1. Let be an optimal sequence of one-point algebraic 

geometric codes defined from (J7)^i such that dimCj/uj —)■ R. For all sequences 
of positive integers {rnf)’^^ with mi/ni —)■ p, the number 6 = liminfj^oo <^mi(C'j)/nj 
satisfies 


6 > 


q 

q-l 



+ p. 


Proof. Let 0 < e < 1 be an arbitrary hxed number. From the Goppa bound (Theorem 
[H]) and Lemma [T5] we obtain that 


dlempia) ^ - 1 


Ui 


q£7ni _ qerrii-l 


dim Ci gi 


Ui 


Ui 


Using again the monotonicity of GHWs we obtain that 


dmfiCf) ^ g--* - 1 


Ui 


~ qsrni _ qerrii-l 


^ _ dimGj _ mfil - e) 


Ui 


Hi 


Hi 


Now, letting i ^ oo hrst and then e —)• 0, we obtain 






q-l 




□ 

In the following, we concentrate on Garcia and Stichtenoth’s second tower m 
of function helds (J7)^i over Fg where g is an arbitrary perfect square. From [2Tj 
we have a complete description of the corresponding Weierstrass semigroups and |23] 
gives an efficient method for constructing the corresponding optimal sequences of 
one-point algebraic geometric codes. We will apply the two new bounds on GHWs 
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given in Proposition WI\ and Proposition [T^ to this tower. In the rest of this section, 
q is always a perfect square and by we mean Garcia and Stichtenoth’s second 

tower m We will need the following properties of each (El ESI): its number of 

i —1 

rational places satishes > q~ [q — ^/q), its genus is given by 




{qi — 1 )^ if i is even, 

— l)(g^ — 1 ) if i is odd. 


and it has a rational place Qi such that the conductor of H{Qi) is given by 

J — g*/'^ if i is even, 
g*/^ — gh+i)/4 if j ig odd. 

In the rest of the section, is an optimal sequence of one-point algebraic ge¬ 
ometric codes defined from and where Ci is of the form Cc{Di, fiiQi) or 

Cc{Di, Recall from j23] that we may assume without loss of generality that 

Di is chosen in such a way that Ci can be constructed using 0{ni^ logq(?7.j)) operations 
in Fq. 

Theorem 19. Let be Garcia-Stichtenoth’s second tower of function fields over 

Fg, where q is a perfect square. Let be a corresponding optimal sequence of one- 

point algebraic geometric codes as described above. Consider R, p with 0 < R < 1 — 
0 < p < min{i?, o,nd assume that dimGj/rij —)■ R. For all sequences 

of positive integers {mi)’^i with mi/ui —)■ p, it holds that 6 = Ymvmii^^dmiiCi)/ui 
satisfies 

(5 > 1 — R -\- 2p-———. 

Proof. We may assume that Ci is of the form Cc{Di, piQi) or Cc{Di, piQi)-^, with 
-2 < Pi <ni and {pi- g{Ri))/ni R. As limj^ooCi/nj = limi^^ g{Ri)/ni = 
l/(y^— 1), the result follows from Proposition [12] or Proposition [13] □ 


6 The parameters A^^\£i) and for algebraic 

geometric code based schemes 

In Section 12] we estimated and for asymptotically good sequences of schemes 

based on algebraic geometric codes coming from optimal towers of function helds, 
the sequences being called asymptotically good if > 0 and < 1. Employing 
the analysis in Section [5] together with ([7|) and (jOj) we are now able to give a more 
complete picture of the information leakage and reconstruction by providing also 
estimates on and We emphasize that the below theorems apply also 

in the cases where one or both of the conditions > 0 and < 1 fails to hold. 
Throughout the section recall that by dehnition the numbers ei and £2 always satisfy 
0 < £ i ,£2 < 1 - 
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Theorem 20. For the sequence of linear ramp secret sharing schemes described in 
Theorem\^ we have the following estimates: If 1/A{q) < 1 — R 2 and ei > — 

^(1 - R 2 ))/L then > R 2 + £iL. If l/A{q) < Ri and 82 > - 

-^Ri)!L then A^‘^\e 2 ) < -Ri — £ 2 A. 

Proof. Apply Theorem [T7] with p = SiL and p = £ 2 ^, respectively, in combination 
with ([7j) and ([H]), respectively. □ 

Theorem 21. For the sequence of linear ramp secret sharing schemes described in 
Theorem\E we have the following estimates: A(^^(e:i) > ~ 

Proof. Apply Theorem [TS] in combination with ([7]) and (jH]). □ 

Observe that from Theorem [21] we get an estimate on A’^^)(0) wich is g/(q' — 1) 
times as large as the estimate on 0^^ in Section [21 Hence, the stndied seqnences of 
secret sharing schemes are more secnre than previously anticipated. A similar remark 
holds regarding reconstruction. 

Theorem 22. Let q be a perfect square. For the sequence of linear ramp secret sharing 
schemes described in TheoremlBwe have the following estimates: If R 2 > l/{y/q — 1) 
and El < then > R 2 + 2 E 1 L- If Ri < and 82 < 

then A*^^^ { 82 ) < — 2^2A + ■ The i-th scheme in the sequence can be constructed 

using 0 {nf\og{niY) operations in Fg. 

Proof. Apply Theorem [19] in combination with ([7]) and (J9|). □ 

We finally remark that when g is a perfect square, then similarly to Theorem [2^ 
one can assume in Theorem [2U] and Theorem [TT] that the Ath scheme in the sequence 
can be constructed using 0 {n^ log(nj)^) operations in Fg. 
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A Proof of Theorem 3] 


In this appendix we give a proof of Theorem HJ The theorem is an improvement of [201 
Th. 9], the improvement stating that the RGHWs of primary and dual nested linear 
code pairs can get simultaneously asymptotically as close to the Singleton bound flTOj) 
as wanted. We use the notation and results in [T31 HSl ESI In particular, we use 
the concept of relative dimension length prohle (RDLP) as appears in [T51 Sec. III]. 
For 1 < d < n, and linear codes C 2 ^ Ci G F” dehne 

Kd{Ci, C 2 ) = max{dim(C'i n Vi) — dim(G 2 H Vi) \ 

I C {l,...,n},#/ = d}, 


where V/ = {x G F” | x* = 0 if i ^ /}. The sequence (iFrf(Gi, G 2 )) 2 =i is then the 
RDLP of the pair C 2 ^ Ci and is known to be non-decreasing [T51 Prop. Ij. Our 
interest in the RDLP comes from the following result corresponding to the hrst part 
of da Th. 3]: 

C 2 ) = mm{d \ Kd{Ci, C 2 ) > m). (18) 

As in dSlDS], we dehne for integers a,u,v,w the numbers; 


Ni{w,u) 


nr=o 


N2{w,U,v) 




and N^i^w, u, v, a) = Ni{u, a)N 2 {w — a, u — a, v — a). The meaning of Ni is [13]) |ISl 
Lem. 5 and 6 ]; 


Lemma 23. Let W be an ¥q-linear vector space and let u, v, w = dimkF he non¬ 
negative integers. If u < w, then Ni{w,u) is the number of subspaces U G W of 
dimension u. Furthermore, if U is fixed and u < v < w, then Ni{w — u,v — u) is the 
number of¥g-linear vector spaces V such that U G V G W and dimR = v. 

From da Lem. 9] we have: 

Lemma 24. Consider fixed integers 1 < k 2 < ki < n and a fixed set I G {1,..., n} 
with ffl = d. Let s he an integer with s < min{(i, fci — k 2 \. The number of linear 
code pairs O 2 £ Oi C F^ such that dimOi = ki, dim02 = ^ 2 , and dim(Oi 0 V/) — 
dim (02 n Vi) = s, eguals 


N^^n, ki,k 2 , d, s) 


min{d—s,/c 2 } 


E 

a=0 


(^Ni{d,a) 


N 2 {n — a,d — a, k 2 — a)A" 3 (n — k 2 ,d — a, ki 


h,s) 


We next extend [ISl Cor. 3]. 
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Theorem 25. Consider fixed integers 1 < k 2 < ki < n, 1 < d < n, 1 < d^ < n, 
1 < s < min{(i, ki — ^ 2 }; ond 1 < S"*" < ki — ^ 2 }. There exists a nested 

linear code pair C 2 Q Ci <Z such that dimCi = ki, dim 6*2 = ^ 2 ; Ms{Ci,C 2 ) > d 
and Mg±{Cf,Cf) > d-^, if 


ki—k2 

^ N 4 {n,ki,k 2 ,d,a) 

' a=s 

+ {^±] Ni{n,n - k2,n - ki,d-^,a-^). 

Proof. By Lemma [23l the term Ni{n, k2)Ni{n — /c2, ki — ^2) is the total number of 
pairs C2 C Cl C such that dimCi = ki and dimC2 = ^2. On the other hand, by 
Lemma [211 the number of pairs C2 C Ci C F” such that dimCi = fci, dimC2 = /c2 
and Kd{Ci,C2) > s is at most (”) iV 4 (? 7 ,, fci,/c2, d, ex). Similarly, the number 

of pairs C2 C Ci C F” such that dimCi = fci, dimC2 = ^2 and > 

s-*- is at most (Jl) — k2,n — ki,d^,a^). The inequality therefore 

ensures the existence of a code pair C2 C Ci C F” with dimCi = ki, dimC2 = 
k2, Kd(Ci,C2) < s and K^±{Cf,Cf) < S"*-. But the RDLP is non-decreasing and 
Kn{Ci,C2) = Kn(Cf,Cf) = ki — k2 which is larger than or equal to s and s'. 
Therefore there exists a smallest index j such that Kj{Ci,C2) > s and a smallest 
index j-*- such that Kj±{Cf,Cf) > S"*- and j > d as well as > d^ hold. The 
theorem now follows from flT 8 |) . □ 

To apply Theorem [21] in an asymptotic setting we will need a couple of lemmas. 
Lemma 26. Define 7 i{q) = nSi(l ~ *?”*)■ Then 

< Ni{w,u) < (19) 

N2{w,u,v) < 

iV3(w, M, V, a) < T^i^q)-‘iq<^-Cq{v-a){w-v) _ (' 20 ) 


Proof. The inequality (IT^ is [TTl Cor. 2] and the last two inequalities correspond 
to j2ni Lem. 3] except that vr(g)“^ in f[2nj) by a mistake was there written 7 r{q) ^ and 
similarly q°-C-'^) -^^^as written □ 

The next lemma corresponds to [HI Ex. 11.1.3]. 

Lemma 27. Let Hq{x) = —x\ogq{x) — {1 — x) logg(l — x), then 

n -|- 1 ~ \m 

With the above machinery we can now give the promised proof. 
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Proof of Theorem (4], Let -Ri, R 2 , 6, r and r-*“ be as in the theorem 
(in particnlar assume (fT5]) to hold). Let be a strictly increasing sequence of 

positive integers and dehne ki{i) = k2{i) = \niR2], s{i) = [njr], = 

[niT"*-], d{i) = \ni 5 \ and d^{i) = \ni 5 ^\. Using Theorem 1251 we will show that for i 
large enough there exist nested linear codes C* 2 (i) C Ci{i) C F”' of dimensions k2{i) 
and ki{i), respectively, with 


> d{i), and > d-^{i). (21) 

Observe that f[T3|) implies that 

ki{i) + d{i) — Hi — s{i) < 0, (22) 

{ui - k 2 {i)) + d-^{i) -rii- s^{i) < 0, (23) 

which we will need later in the proof. For brevity, we will write fci, ^ 2 , d, d-^, s, S"*-, 
and n rather than ki{i), k 2 {i), d{i), d^{i), s{i), and rii. Applying Lemma [2B1 

Lemma [23 and Theorem [23 we see that a sufficient condition for the existence of a 
linear code pair satisfying f[2T]) is 


7^(g)2gfc2(ri--fc2)g(fci-fc2)(n-fci) 




> q 


.nHq{dln) 


E E 


a=0 




— i„{k2—a.)in—a—k2+a) f \—2a{d—a—a) {ki—k2—cr){n—k2—ki+k2) 


ki—k 2 min{d-^—a-^,n—k 2 —o-^,n—ki} 

E E 


+q 


.nHq{d^ /n) 


a =0 




7r{q) 


— l^{n—ki—a){n—a—n+ki+a)^^^'j—2^a^{d^—a—a^)^{ki—k2—o-^)k2 


q'- 


But then another sufficient condition (named Condition A) for the existence of a 
nested code pair satisfying ([2T]) is 


gk2{n-k2)+{ki-k2){n-ki) ^ 


f{q, n) max < q°-i'^-°‘)+i^2-a)(n-k2)+u(d-a-a)+{ki-k2-a){n-ki) 


s < (T < fci — ^2, 0 < a < min{d — a,ki — a, /C2} j + 
/x) max o'-'-)fc 2 

s~^ < a~^ < ki — k2, and 
0 < a < min{(i-*- — n — k 2 — <J^, n — ki} >, 
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where f{q,n) = and where f^{q,n) = 7i{q)~^q"‘^‘>^'^^^"'^n^. Con¬ 

sider now the expression a{ki + d — n — a — a), which contains the terms in the first 
exponent on the right-hand side of Condition A related to a. As a fnnction in a, this 
is a downward parabola intersecting the hrst axis in a = 0. For s < cr, it follows 
from fl22|l and 0 < a that ki + d — n — a — a < 0. Hence, the maximal value of 
a{ki + d — n — a — a) for s < cr is attained when a = s, and we therefore substitute a 
with s in Condition A. In a similar fashion, we see from fl23D that cr-*- can be replaced 
with fi-*-. After these substitutions, the terms related to a in the first exponent on the 
right-hand side of Condition A become —-|- a(A ;2 + d — n — s), which is equal to 0 for 
a = 0 and negative for a > 0, as a consequence of fl2^ . Similarly, the terms related 
to a in the last exponent on the right-hand side become —-|- a(d-*- — fci — s-*-) which 
again is equal to 0 for a = 0 and negative for a > 0 as a consequence of (12^ . Hence, 
we can substitute a with 0 in Condition A. After the above substitutions. Condition 
A simplihes to 


^k2{n-k2)+{ki-k2){n-ki) ^ ^'^gk2{n-k2)+s{d-s)+(ki-k2-s){n-ki) 


In this formula, we now replace the two expressions on the right-hand side with the 
largest one multiplied by 2. We then take the logarithm over q and hnally divide by 
n^. Assume that the hrst term on the right-hand side of Condition A is greater than 
or equal to the last term. After simplifying equal terms on both sides and using the 
dehnition of fci, d and s, we see that Condition A holds if 


0 > g{i) + - t) - - Ri), (24) 

where g{i) = logg(2/(g, ni))/n^, which goes to 0 as i goes to inhnity. Similarly, if the 
last term on the right-hand side is greater than or equal to the hrst term, we see that 
Condition A holds if 

0 > g-^{i)-r-^)- t-^R2, (25) 

where g^{i) = logg(2/-‘-(q', ni))/nj, which again goes to 0 as z goes to inhnity. Finally, 
for i large enough, fl24p follows from the hrst part of flT2]) . since r > 0, and fl25]) 
follows from the last part of flT5]) . since r-*- > 0. Therefore, Condition A holds for i 
large enough and we are done. □ 
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